SSL and poor journalism ruin my day
Some random blogger recent ruined my day with what I would say was an inaccurate Register Article about SSL deployment on public web sites.
First of all the article is very misleading. It seems to suggest that a low rating here would mean the website is insecure... that is not the case. What it's actually saying is that the site is allowing older and less secure versions of SSL. Now ideally you don't want to allow this sort of thing but sometimes you have to in order to support older devices. For a public service website like this you want it to be as accessible as possible. Hence you have to mitigate issues like this in different ways. The site I am in charge of looking after failed this test on the basis that it was susceptible to the "POODLE" attack, according to this article. In truth that was not the case, we had just mitigated that flaw in a way that this test is unable to detect.
POODLE is a known flaw in SSL v3 and yes our environment does(did) support SSL v3. However we mitigate that flaw with an advance firewall with an Intrusion Prevention System (IPS). This system has a number of IPS signatures specifically designed to patch the holes in SSL v3 and many other flaws in many other systems, its good stuff and allows us to give maximum compatibility at minimal risk.
The problem was not with our system but the way this test was carried out. All they tested is what types of SSL we offer and then marking us down for that regardless of what the system actually does. If they had done a specific vulnerability test we would have passed with an A+, alas they did not. It also overlooks the fact that some of the sites criticized in this article contain no sensitive or private data and the only reason they have SSL is so that google will play nice with them, so even if they were flawed it was of little consequence.
Of course journalism these days rarely likes to burden its self with facts or accuracy as that does get people to their rag so the person who has written this has gone for maximum effect, minimum accuracy.
When a public facing department like the Police gets bad press they panic, and rightly so. So thanks to this article we have had to remove SSL v3 and TLS 1.0 from the site completely just so an inaccurate test can give them a high score which will in turn allow an irresponsible journalist not to write inaccurate things about them... O.K maybe i am being a little hard on this journalist but for me if you are going to write what I would consider to be an acquisitory and potentially damaging article about something she could have at lest tried to contact the companies that host these sites.
The downside to all this, if you are running an old version of a browser, or have an old phone or blackberry, this site no longer exists for you. We have had to sacrifice your access for the appearance of security... Isn't the internet wonderful :D